iOS vs Android in the Battle of Bring Your Own Device to Work Security

Bring Your Own Device (BYOD) policies are on the upswing, with many organizations embracing them for the perceived cost savings and productivity gains. Allowing employees to bring and use their own devices for work purposes generally means that they are more comfortable and efficient at using them. It also saves businesses from purchasing and replacing devices as technology progresses.

BYOD policies aren’t exactly a win-win situation for enterprises, as these benefits come with a range of security complications. One of the biggest questions is which operating system is better, Android or iOS?

Despite Android dominating the rest of the market, in a 2015 survey (the latest reliable data) iOS dominated the enterprise scene with 66% of devices. Although there aren’t any more recent figures that can be trusted, Android’s security issues over the last few years may have acted as a deterrent for uptake in the business environment.

Android is open source in nature, while iOS is closed source. While there are benefits to each of these approaches, Android’s nature has seen it develop more significant security issues than its rival OS.

Another key issue that Android faces is its fragmentation across the market. Six months out from its release, Android’s latest version, Nougat, has seen little more than a 1% adoption rate. About 31% of users are still using the previous version, Marshmallow, while about the same number again are using the version before that, Lollipop. iOS 10 was released at a similar time, however it is already used on 76% of devices.

This is largely due to Android being used across devices from a wide range of manufacturers, including many budget models. Each manufacturer can add their own software to their Android devices, which results in security complications that Apple doesn’t have to deal with. Apple only has to worry about its own devices, which makes it much easier to deploy the latest versions of their operating system.

Android’s Security History

Android has made the headlines again and again for security flaws, which is one of several factors that have led many enterprises to favor iOS instead. These flaws appear year on year, with some capable of unfettered access to the devices without the user needing to interact at all. Android suffers from its version fragmentation as well as lack of control when it comes to firmware. These responsibilities fall on the shoulders of manufacturers ad wireless carriers, which often leads to severe security issues that can take months to rectify. Some of the most recent security issues include:

The Quadrooter Vulnerability

In August 2016, Check Point, an Israeli security company, publicized findings on four security issues that affect phones that have Qualcomm chipsets. These are found in approximately 80% of Android handsets, including their flagship phones. According to Check Point, the vulnerabilities affected over 900 million devices. The flaws allow malicious apps to access a user’s location and their data by manipulating them to escalate the apps’ privileges.

The vulnerabilities were found on the chipset drivers for Qualcomm LTE modems, rather than the Android operating system. This meant that each hardware vendor had to come up with their own patch. Blackberry was one of the first companies to address the issue, but it took Google about a month to provide patches for all of the vulnerabilities.

The Certifi-gate Flaw

One year earlier, Check Point brought attention to another key security flaw affecting versions up to Android 5.1. This flaw was found in two mobile support tool plug-ins, which are used by many of the biggest phone manufacturers. In a similar fashion to the Quadrooter vulnerabilities, the Certifi-gate flaw could lead to attackers sneaking in through faulty apps and elevating permissions to take control of the phone. ZDNet reported that the flaw was even found in a Google Play approved app called Recordable Activator. The company behind the app quickly addressed the issue, and according to Google’s 2015 Android Security Year in Review, the flaw had not been exploited successfully.

Stagefright Vulnerability

Just one month beforehand, a critical flaw was found by a researcher from Zimperium. A group of software bugs, collectively known as Stagefright, made it possible for an attacker to send a malicious MMS message that could infiltrate and take over the device without the user having to take any action. All the attacker needed was the target’s phone number and they could infiltrate handsets with versions 2.2 and above.

One of the most alarming parts of this vulnerability is that it affected 95% of Android devices. It was first publicly announced on July 27, 2015, but only a small number of devices had been patched within the first week. The main reason for the lack of action is that the carriers and phone manufacturers are responsible for the firmware updates, not Google. When combined with the fragmentation and organizational complexities of the Android system, it led to severe delays.

Further vulnerabilities were found in the coming months, and it was estimated that one billion devices were affected. While patches have been released and those running newer versions of Android should be safe, those with older models that have not been updated are still and always will be vulnerable. Despite the huge concerns over the flaw, Adrian Ludwig, the Director of Android Security, said that due to its complexity, there had been no reported cases of the flaws being exploited.

Other Android Security Issues

These are just some of the most significant security flaws that we have seen on Android in recent years. There was also the Android Installer hijacking which affected versions up to Android 4.3, the Android FakeID vulnerability which affected versions up to Android 4.31, as well as many others, including some that render old Android web browsers vulnerable.

iOS Security History

One of the main advantages of iOS’s walled garden approach is that it makes it much easier for Apple to keep their system secure. Because Apple has complete control, they can typically offer fixes within days and push the updates to all devices (that are enabled to receive them). This limits the amount of time that vulnerabilities can be exploited, giving attackers less of an opportunity to take advantage of them. Despite this, it should not be assumed that an iPhone is impenetrable–they have also had numerous security issues over the years, however not on the scale of Android.

iOS 10 Bug

When the latest version of iOS was released, it included a security glitch that allowed hackers to attempt passwords 2,500 times faster than in iOS 9 and older versions. Changes to the way that iPhones encrypt backups made it significantly easier to brute force passwords. Apple has since addressed the issue with updates 10.1 and 10.2. These updates used hashing, subsampling and noise injection to help protect user data.

Goto Bug

Back in 2014 when iOS 7 was released, there was a simple flaw that led to a significant vulnerability. In the code, an error was made and ‘goto fail’ was repeated twice, which bypassed the authentication check. The result made it much easier for attackers to access user emails or other data. While this vulnerability was significant, Apple was swift to address the problem by releasing iOS 7.06.

Other iOS Security Issues

Over the years, iOS has also had other security vulnerabilities, but these weren’t as significant as the prior two. One threat that users used to face is juicejacking, where a phone could be infected by malware when plugged into an unsafe charging station, such as at an airport. iOS 7 helped to mitigate these attacks by asking the user whether they trusted the source. In 2014, there were also problems with the iOS MobileMail.app not encrypting attachments. This bug was fixed in iOS 7.1.2. In 2016, iOS also had an issue similar to the Stafegright Android vulnerability, allowing attackers to penetrate iOS devices using specially-crafted messages send through iMessage.

Android Nougat vs iOS 10

The latest offerings from both Google and Apple have continued to push more enterprise oriented features into their operating systems. Apple may have led the way, but Google is quickly adapting to make Android more secure in the business environment.

If your business is contemplating whether to embrace iOS or Android, it is important to remember that only a tiny percent of Android’s devices currently use Nougat, the latest version of Android. Older versions will lack many of these features.

Encryption

Encryption is crucial for sensitive data, particularly if the device is also engaged in personal use. Encryption support first came about for Android in 2014. With Marshmallow, Google introduced support for ARM’s Trustzone hardware to keep encryption keys more secure. This is now required for Android Nougat devices, which is excellent from a security perspective, but has also meant that many devices cannot upgrade to Nougat. In Nougat, it is also possible to encrypt files rather than all of the data. This enables users to use some of the device’s functions without entering their key.

Data protection has been offered since the iPhone 3GS. Apple offers multiple protection classes for different levels of data. In addition to an unprotected class, data can be encrypted unless open, or encrypted until first user authentication.

Remote Wipe

Devices can easily get lost or stolen. If an employee’s device contains sensitive data, it is important that it can be remotely locked or wiped to ensure that thieves cannot access valuable information. If an employee’s phone doesn’t come with the Android Device Manager, they will need to download it first. To lock or erase data, users need to log into their Google account and set it up beforehand.

iOS offers the built-in Find My iPhone feature. Users can remotely wipe their data whenever the device is online. If the device is returned, the data can be restored through iCloud if backup was turned on beforehand.

Other Security Features

Nougat features many upgrades that have made it a worthy competitor to iOS 10. Some of its key offerings include passcode enforcement for individual apps, upgrades to app permission policies and more granular access management. Google’s Android For Work initiative has also provided Enterprise Mobility Management (EMM) solutions. In addition, there is an option for a VPN that cannot be bypassed when the device is in work mode.

iOS 10 comes with a Universal Clipboard that allows content to be shared with MAC OS devices through the cloud instead of AirDrop. This is much more secure. The latest version of iOS also supports VPN IKEv2 EAP-only mode, which provides a secure way for employees to access corporate data.

Google Play vs Apple’s App Store

One of the big security concerns for enterprise is the difference between the app stores of the two major players. Unless a device is jailbroken, Apple users can only download apps from the official App Store. On the other hand, Android allows users to download third party apps in addition to those from Google Play. This provides an additional avenue for malware to slip into Android devices.

Apple has also implement much stricter control over their apps than Google. The apps are reviewed by Apple’s app team and can be rejected for minor errors and for violating Apple’s app policies. Apple also has the ability to remotely disable apps when problems are discovered.

For the past two years, Google has been trying to tighten up security controls in its apps. It has forced the developers of 275,000 Android apps to patch their security issues as part of the App Security Improvement program. Android doesn’t provide an out of the box feature to restrict the resources that applications can access, however external applications such as App Ops can be downloaded from the Google Play store and configured with these restrictions.

From the start of this year, Apple has required all of its apps to use the App Transport Security feature, which forces app traffic to flow through encrypted HTTPS connections.

Best BYOD Security Practices

Having a good BYOD security policy is just as important as finding the best OS. While Android has a long history of issues, the latest version of its OS has become much more competitive with iOS on a security level. Despite this, the majority of devices are still using older and less secure versions. If a business decides to let Android devices into the workplace, it needs to understand the security issues that come with older Android devices and have a policy in place that restricts access to sensitive data and systems. This policy should also spell out exactly what kinds of apps are permitted and what device settings (e.g. password strength, device encryption, etc.) must be in place.

While iOS has long been a clear market leader in the enterprise environment, it has not been without its security issues. For optimal security, employees need to have the latest updates, patch any prior security issues, and generally be trained on security vigilance and best practices.

BYOD policies come with a range of security risks that are challenging for businesses to manage. Android is generally more flexible, while iOS is more streamlined and tightly controlled. Despite the benefits of Android’s flexibility, it has also had severe security problems over the years and still suffers from an inability to generally push out security updates quickly.

At this stage, Android’s fragmentation and past performance issues make iOS seem like the more appealing option for enterprise. Despite this, the recent leaps that Google has made with Nougat could see the tables turn in the coming years.